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The noisy-storage model allows the implementation ol secure two-party protocols under the sole 
assumption that no large-scale reliable quantum storage is available to the cheating party. No 
quantum storage is thereby required for the honest parties. Examples of such protocols include 
bit commitment, oblivious transfer and secure identification. Here, we provide a guideline for the 
practical implementation of such protocols. In particular, we analyze security in a practical setting 
where the honest parties themselves are unable to perform perfect operations and need to deal with 
practical problems such as errors during transmission and detector inefficiencies. We provide explicit 
security parameters for two different experimental setups using weak coherent, and parametric down 
conversion sources. In addition, we analyze a modification of the protocols based on decoy states. 
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I. INTRODUCTION 



Quantum cryptography allows us to solve cryptographic tasks without resorting to unproven computational as- 
sumptions. One example is quantum key distribution (QKD) which is well-studied within quantum information [H, 0]. 
In QKD, the sender (Alice) and the receiver (Bob) trust each other, but want to shield their communication from the 
prying eyes of an eavesdropper. In many other cryptographic problems, however, Alice and Bob themselves do not 
trust each other, but nevertheless want to cooperate to solve a certain task. An important example of such a task is 
secure identification. Here, Alice wants to identify herself to Bob (possibly an ATM machine) without revealing her 
password. More generally, Alice and Bob wish to perform secure junction evaluation as depicted in Figure [1] 



Alice 




Bob 



/(*,») 



/0>«/) 



FIG. 1: Alice holds an input x (e.g. her password), and Bob holds an input y (e.g. the password an honest Alice should possess), 
and they want to obtain the value of some function f(x, y) (e.g. the equality function). 



In this scenario, security means that the legitimate users should not learn anything beyond this specification. 
That is, Alice should not learn anything about y and Bob should not learn anything about x, other than what they 
may be able to infer from the value of f(x,y). Classically, it is possible to solve this task if one is willing to make 
computational assumptions, such as that factoring of large integers is difficult. Sadly, these assumptions remain 
unproven. Unfortunately, even quantum mechanics does not allow us to implement such interesting cryptographic 
primitives without further assumptions 



A. The noisy-storage model 

The noisy-storage model (NSM) allows us to obtain secure two-party protocols under the physical assumption 
that any cheating party does not posses a large reliable quantum storage. First introduced in d, Q, the NSM 
has recentl y llOl been shown to encompass both the case where the adversary has a bounded amount of noise- free 
storage [ill, [l2| (also known as the bounded-storage model), as well as the case where the adversary has access 
to a potentially large amount of noisy storage. This last assumption is well justified given the state of present day 
technology, and the fact that merely transferring the state of a photonic qubit onto a different carrier (such as an atomic 
ensemble) is typically already noisy, even if the resulting quantum memory is perfect. In the protocols considered, the 
honest parties themselves do not require any quantum storage at all. We briefly review the NSM here for completeness. 
Without loss of generality, noisy quantum storage is described by a family of completely positive trace-preserving maps 
{Ft : B(Hin) — >• B(Hout)}t>o, where t is the time that the adversary uses his storage device. An input state p on Hi n 
stored at time to — decoheres over time, resulting in a state Ft{p) of the memory at time t. We make the minimal 
assumption that the noise is Markovian, meaning that the adversary does not gain any advantage by delaying the 
readout whenever he wants to retrieve encoded information: waiting longer only degrades the information further. The 
only assumption underlying the noisy-storage model consists in demanding that the adversary can only keep quantum 
information in this noisy storage device. In particular, he is otherwise completely unrestricted - for example, he can 
perform arbitrary (instantaneous) quantum computations using information from the storage device and additional 
ancillas. In particular, he is able to perform perfect, noise-free, quantum computation and communication. However, 
after his computation he needs to discard all quantum information except what is contained in the storage device, 
where he may prepare an arbitrary encoded state on "Hj n . This scenario is illustrated in Figure [2] 

How can we obtain security from such a physical assumption? We consider protocols which force the adversary to 
store quantum information for extended periods to gain information: This is achieved by using certain time delays At 
at specific points in the protocol (e.g., before starting a round of communication). This forces the adversary to use 
his device for a time at least At if he wants to preserve quantum information. Due to the Markovian assumption, it 
suffices to analyze security for the channel J- = J- At- Hence the security model can be summarized as follows: 

• The adversary has unlimited classical storage, and (quantum) computational resources. He is able to perform 
any operations noise-free and has access to a noise-free quantum channel. 
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FIG. 2: During waiting times At, the adversary must use his noisy-quantum storage described by the CPTP map T. Before 
using his quantum storage, he performs any (error-free) "encoding attack" of his choosing, which consists of a measurement or 
an encoding into an error-correcting code. After time At, he receives some additional information that he can use for decoding. 



• Whenever the protocol requires the adversary to wait for a time At, he has to measure/discard all his quantum 
information except what he can encode (arbitrarily) into Hin ■ This information then undergoes noise described 
by T. 

We stress that in contrast to the adversary's potential resources allowed in this model, the technological demands 
on honest parties are minimal: in our protocol, honest parties merely need to prepare and measure BB84-encoded 
qubits [43| and do not require any quantum storage. 

B. Challenges in a practical implementation 

In this work we focus on how to put the protocols of [lol | into practice. Unfortunately, the theoretical analysis 
of [13] assumes perfect single-photon sources that are not available yet [l3|, 0] • Here, we remove this assumption 
leading to a slightly modified protocol that can be implemented immediately using today's technology. At first glance, 
it may appear that the security analysis for a practical implementation differs little from the problems encountered 
in practical realizations of QKD. After all, the quantum communication part of the protocols in [lj| consists of Alice 
sending BB84 states to Bob. Yet, since now the legitimate users do not trust each other, the analysis differs from 
QKD in several fundamental aspects. Intuitively, these differences arise because Alice and Bob do not cooperate to 
check on an outside eavesdropper. Quite on the contrary, Alice can never rely on anything that Bob says. A second 
important aspect that differentiates the setting in [lfj from QKD lies in the task the cryptographic protocols aim to 
solve. For instance, secure identification is particularly interesting at extremely short distances, for which Alice would 
ideally use a small, low power, portable device. Bob, on the other hand, may use more bulky detectors. At such short 
distances, we could furthermore use visible light for which much better detectors exist than those typically used in 
QKD at telecom wavelengths. It is an interesting experimental challenge to come up with suitable devices. Small 
handheld setups have been proposed to perform QKD at short distance [lj|, which we can also hope to use here. The 
QKD devices of [l5[ have been devised to distribute non-reusable authentication keys which could also be employed 
for identification. At such short distance, this could also be achieved by for example loading keys onto a USB stick 
at a trusted loading station at a bank for instance. We emphasize that our work is in spirit very different in that we 
allow authentication keys to be reused over and over again, just as traditional passwords [l6| . 

We first analyze a generic experimental setup in Section [TTJ More specifically, we present a source-independent 
characterization of such a setup and discuss all parameters that are necessary to evaluate security in the NSM. 
Especially important is that in any real-world setting even the honest parties do not have access to perfect quantum 
operations, and the channel connecting Alice and Bob is usually noisy. The challenge we face is to enable the honest 
parties to execute the protocol successfully in the presence of errors, while ensuring that the protocol remains secure 
against any cheating party. We shall always assume a worst-case scenario where a cheating party is able to perform 
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FIG. 3: A general setup for weak string erasure. 



perfect quantum operations and does not experience channel noise, its only restriction is its noisy quantum storage. 

The primary source of errors at short distances lies in the low detector efficiencies of present day single-photon 
detectors. For telecom wavelengths these detector efficiencies rju lie at roughly 10%, where at visible wavelengths one 
can use detectors of about 70% efficiency. Hence, a considerable part of the transmissions will be lost. In Section UllT 
we augment the protocol for weak string erasure presented in [1 01 ] to deal with such erasure errors. This protocol is 
the main ingredient to realize the primitive of oblivious transfer, which can be used to solve the problem of computing 
a function f(x,y). The second source of errors lies in bit errors which result from noise on the channel itself or 
imperfections in Alice and Bob's measurement apparatus. At short distances, such errors will typically be quite small. 
In Section HVl we show how to augment the protocol for oblivious transfer to deal with bit errors. It should be noted 
that we treat these errors in the classical communication part of the protocols, independently of erasure errors, and 
similar techniques may be used in other schemes based on weak string erasure in the future. 

To obtain security, we have to make a reasonable estimation of the errors that the honest parties expect to occur. We 
state the necessary parameters in Section HI1 and provide concrete estimates for two experimental setups in Section fVl 
In particular, we present explicit security parameters for a source of weak coherent pulses, and a parametric down 
conversion (PDC) source. Throughout, we assume that the reader is familiar with commonly used entropic quantities 
also relevant for QKD, and quantum information. An introduction to all concepts relevant for security in the NSM is 
given in fioj . 



II. GENERAL SETUP 



Before turning to the actual protocols, we need to investigate the parameters involved in an experimental setup. 
The quantum communication part of all the protocols in the NSM is a simple scheme for weak string erasure which 
we will describe in detail in the next section. In each round of this protocol, Alice chooses one of the four possible 
BB84 states 17| at random and sends this state to Bob. Bob now measures randomly the state received either in the 
computational or in the Hadamard basis. Such a setup is characterized by a source held by Alice, and a measurement 
apparatus held by Bob as depicted in Figure [3J The source can as well include a measurement device, depending 
on the actual state preparation process (e.g. when a PDC source acts as a triggered single-photon source). If Alice 
is honest, we can trust the source entirely, which means that in principle we have full knowledge of its parameters. 
Note, however, that in any practical setting the parameters of the source will undergo small fluctuations. For clarity 
of exposition, we do not take these fluctuations into account explicitly, but assume that all the parameters below are 
worst-case estimates of what we can reasonably expect from our source. 



A. Source parameters 

Unfortunately, we do not have access to a perfect single- photon source in a practical setting [TH, [l4[ , but can only 
arrange the source to emit a certain number of photons with a certain probability. To approximate a single-photon 
source, we will later let Alice perform some measurements herself to exclude multi-photon events in the case of a PDC 
source. The following table summarizes the two relevant probabilities we need to know in any implementation. When 
using decoy states, we will frequently add an index s to all parameters to specify a particular source s that is used. 



probability 


description 


v n 

r sre 


the source emits n photons. 


n n 


the source emits n photons conditioned on the event 
that Alice concludes that one photon has been emitted. 
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In our analysis, we will be interested in bounding the number of single-photon emissions in M rounds of the protocol, 
which can be achieved using the well-known Chernoff's inequality (see e.g. [Hj]): Suppose we have a source that emits 
a single photon with probability pl rc and a different number of photons otherwise. How many single-photon emissions 
do we expect? Intuitively, it is clear that in M rounds we have roughly pl rc M many. Yet, in the following we need to 
consider a small interval around p\ vc M, such that the probability that we do not fall into this interval is extremely 
small. More precisely, we want that 

Pt[\S-pI ic M\>CLM}<6, (1) 

where S is the number of single-photon emissions. To apply Chernoff's inequality, let Xj = 1 denote the event where 
a single-photon emission occurred, and let Xj = otherwise, giving us S = Y^j Xj- We then demand that 

2e -2(CL) 2 M < B> (2) 

which can be achieved by choosing Q IC = •v/ln(2 je)j (2M) . Operationally this means that the number of single- 
photon emissions lies in the interval [(pl rc — Q IC )M,(pl IC + C s 1 rc )M], except with probability e. Note that for M 
being very large we indeed have Q IC « 0, leaving us with approximately pl TC M many single-photon emissions. By 
exactly the same argument, if now M refers to the number of rounds in the protocol where Alice concluded the source 
emitted single-photons, the actual number of single-photon rounds within these post-selected events lies in the interval 
[bscnt - (Lat) M > bscnt + (Lnt) M ] for Cscnt = £ ) / ( 2M ) , except with probability e. We will make use of this 

argument repeatedly and use Q to denote the interval when considering an event that occurs with probabiity Py . 

We would like to emphasize that for our security proof to work, we only need a conservative lower bound on the 
number of single-photon emissions. Should there be some intensity fluctuations in Alice's laser provided that we know 
the worst case (i.e., a conservative lower bound pl rc ) in the asymptotic case of large M, then the discussion for the 
finite-size case will go through if we consider a one-sided bound in Equation |(TJ). i.e., Pr[S < (pl IC — Q IC )M] < e. 



B. Error parameters 



For any setup, we need to determine the following error parameters. These parameters should be a reasonable 
estimate that is made once for a particular experimental implementation and fixed during subsequent executions of 
the protocol. For instance, for a given device meant to be used for identification, these estimates would be fixed 
during construction. 



1. Losses 



As mentioned above, the primary restriction in a practical setting arises from the loss of signals. These losses can 
occur on the channel, or be caused by detector inefficiencies. The following table summarizes all the probabilities we 
need. Throughout, we use the superscripts h and d to indicate that these parameters apply to an honest or dishonest 
party respectively. 



probability 


description 


^erasc 


n photons are erased on the channel 


PB, click 


honest Bob observes a click in his detection apparatus 


PB,no click 


honest Bob observes no click in his detection apparatus 


h\n 
Pb, click 


honest Bob observes a click in his detection apparatus, 
conditioned on the event that Alice sent n photons. 


PB, S, no click 


honest Bob observes no click from the signal alone 


Pdark 


an honest player obtains a click when the signal was a vacuum state (dark count) 



Note that we have 



Pb, : 



click 



h\n 

Pb .no click ' 



(3) 



and again the number of rounds we expect to be lost can be bounded to lie in the interval [(pg no click 
Cb\„ click)^ (Pb,„o click + Cb\„o ciick)^] with Ci no click = VM2/e)/(2M), except with probability e. 
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2. Bit errors 



The second source of errors are bit-flip errors that can occur due to imperfections in Alice's or Bob's measurement 
apparatus or due to noise on the channel. We use the following notation for the probability of such an event in the 
case that Bob is honest. This probability depends on the detection error edot in our experimental setup, i.e., on the 
probability that a signal sent by Alice produces a click in the erroneous detector on Bob's side, and on pdark- The 
quantity edot characterizes the alignment and stability of the optical system. 



parameter 


description 


edot 


detection error 


PB,crr 


honest Bob outputs the wrong bit 



For a single bit b £ {0, 1}, a bit-flip error is described by the classical binary symmetric channel with error parameter 

Perr 



b with probability 1 — p crr , 
(1—6) with probability p crr . 



(4) 



When each bit of a fc-bit string is independently affected by bit-flip errors, the noise can be described by the channel 
where we omit the explicit reference to k on the l.h.s. when it is clear from the context. 



C. Parameters for dishonest Bob 



Recall our conservative assumption that a dishonest party is only restricted by its noisy quantum storage, but can 
otherwise perform perfect quantum operations and has access to a perfect channel. Yet, even for a dishonest Bob 
there are some errors he cannot avoid, caused by the imperfections in Alice's apparatus. If Alice's source simply 
outputs no photon for example, then even a dishonest Bob cannot detect the transmission which is captured by the 
following parameter. 



probability 


description 


^B,no click 


dishonest Bob observes no click in his detection apparatus 



Generally, we have no click = Pg Cnt . In the protocols that follow, we will ask an honest Bob to report any round 
as missing that has not resulted in a click. Without loss of generality, we can assume that even a dishonest Bob 
will report a particular round as lost when he does not observe a click. Of course, if Bob is dishonest he potentially 
chooses to report additional rounds as missing. 

In our analysis, we also have to evaluate the following probability which depends on the experimental setup, as well 
as on our choice of protocol parameters. 



probability 


description 


d,n 
Z>B,err 


dishonest Bob outputs the wrong bit if Alice sent n photons, 
and he gets the basis information for free 
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FIG. 4: Weak string erasure with errors when both parties are honest. £ Pcrr denotes the bit-error channel denned in ([5jl. 



III. WEAK STRING ERASURE WITH ERRORS 



The basic quantum primitive upon which all other protocols in [lOj are based is called weak string erasure. In- 
tuitively, weak string erasure provides Alice with a random ro-bit string X m and Bob with a random set of indices 



X e 2'™' and the substring Xx of X m restricted to the elements in X [44J. If Bob is honest, then we demand that 
whatever attack dishonest Alice mounts, she cannot gain any information about which bits Bob has learned. That is, 
she cannot gain any information about X. If Alice herself is honest, we demand that the amount of information that 
Bob can gain about the string X m is limited. 

We now present an augmented version of the weak string erasure protocol proposed in [Io| that allows us to deal 
with the inevitable errors encountered during a practical implementation. We thereby address the two possible errors 
separately: losses are dealt with directly in weak string erasure. Bit-flip errors, however, are not corrected in weak 
string erasure itself, but in subsequent protocols (45|. We will thus implement weak string erasure with errors where 
the substring Xx is allowed to be affected by bit-flip errors. That is, honest Bob actually receives £ Pcit (Xx) where 
£ Pm is the classical channel corresponding to the bit errors as given in ([5]), with k = \X\ being the length of the string 
Xx. Figure U provides an intuitive description of this task. 

We now provide an informal definition of weak string erasure with errors. A formal definition can be found in 
Appendix [5] Even in this informal definition we need to quantify the knowledge that a cheating Bob has about 
the string X m given access to his entire system B' [4f| , This quantity has a simple interpretation in terms of the 
min-entropy as H 00 (X m \B') = — logP guess (X m |i?'), where P guess (X m \B') represents the probability that Bob guesses 
X m , maximized over all measurements of the quantum part B' . The quantity H e oc (X m \B') thereby behaves like 
'R 00 (X m \B'), except with probability e. We refer to [l(| for an introduction to these quantities and their use in the 
NSM. 

Definition III.l (Informal). An (m, A, e,p e rr)-weak string erasure protocol with errors (WSEE) is a protocol between 
Alice and Bob satisfying the following properties, where £ PolI is defined as in ([5]); 

Correctness: // both parties are honest, then Alice obtains a randomly chosen m-bit string X m £ {0, l} m , and Bob 
obtains a randomly chosen subset X C [m], as well as the string £ p ^ i {Xx). 

Security for Alice: // Alice is honest, then the amount of information Bob has about X m is limited to 

1 

m 

where B' denotes the total state of Bob 's system. 

Security for Bob: // Bob is honest, then Alice learns nothing about X. 

We are now ready to state a simple protocol for WSEE. We thereby introduce explicit time slots into the protocol. 
If Alice herself concludes that no photon or a multi-photon has been emitted in a particular time slot, she simply 
discards this round and tells Bob to discard this round as well. Since this action represents no security problem for 
us, we will for simplicity omit these rounds all-together when stating the protocol below. This means that the number 
of rounds M in the protocol below, actually refers to the set of post-selected pulses that Alice did count as a valid 
round. 

In addition, introducing time slots enables Bob to report a particular bit as missing, if he has obtained no click in a 
particular time slot. Alice and Bob will subsequently discard all missing rounds. This does pose a potential security 
risk, which we need to analyze and hence we explicitly include this step in the protocol below. 



H^JnB') > A , (6) 
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Protocol 1: Weak String Erasure with Errors (WSEE) 

Outputs: x m e {0, l} m to Alice, (X, z^) e 2M x {0, 1}^ to Bob. 

1. Alice: Chooses a string x M €r {0, 1} M and basis-specifying string 8 M €r {0, 1} M uniformly at random. 

2. Bob: Chooses a basis string 8 M Er {0, 1} M uniformly at random. 

3. In time slot i — 1, . . . , M (considered a valid round by Alice): 

1. Alice: Encodes bit Xi in the basis given by 9i (i.e., as H 6i \xi)), and sends the resulting state to Bob. 

2. Bob: Measures in the basis given by 6i to obtain outcome £j. If Bob obtains no click in this time slot, 
he records round i as missing. 

4. Bob: Reports to Alice which rounds were missing. 

5. Alice: If the number of rounds that Bob reported missing does not lie in the interval [(pg no click — 
Cb no ciick)-^' (^B.no click + Cb no click) -^l) * nen Alice aborts the protocol. Otherwise, she deletes all bits from 
x M that Bob reported missing. Let x m € {0, l} m denote the remaining bit string, and let 9 m be the 
basis-specifying string for the remaining rounds. Let 8 m , and x m be the corresponding strings for Bob. 

Both parties wait time At. 

6. Alice: Sends the basis information 9 m to Bob, and outputs x m . 

7. Bob: Computes X := {i € [m] \ Qi = 9i}, and outputs (X, z' 1 ') := (X, x%). 



A. Security analysis 

1. Parameters 

We prove the security of Protocol 1 in Appendix [A] where our analysis forms an extension of the proof presented 
in The security proof for dishonest Alice is analogous to [Toj ] . The only novelty is to ensure that allowing Bob 
to report rounds as missing does not compromise the security. Here, we focus on weak string erasure with errors, 
when the adversary's storage is of the form T = jV'®*'™, and J\f obeys the strong converse property An 
important example is the d-dimensional depolarizing channel. For this case, we can give explicit security parameters 
in terms of the amount of noise generated by Af. The quantity v denotes the storage rate, and M st0 re is the number 
of single-photon emissions that we expect an honest Bob to receive for large M. That is 

Mstorc := Pscnt ' ft^lxck ' M • ( 7 ) 

We hence allow Bob's storage size to be determined as in the idealized setting of [l(|, where we have only single-photon 
emissions. Throughout, we let denote the number of n photon emissions in M valid rounds, and use to 

denote the fraction of these n-photon pulses that Bob decides to report as missing. Clearly, is not a parameter 
we can evaluate, but depends on the strategy of dishonest Bob. Finally, we use 

M \eh = i 1 ~ r (n) )M(") to denote the 

number of rt-photon pulses that are left. Note that M^j is a function of chosen by Bob according to certain 
constraints which we investigate later. A proof of Theorem IIII. 21 as well as a generalization to other channels T not 
necessarily of the form T = _/V"® I/M storo ; can found in Appendix [5] Here, we state the theorem for a worst-case 
setting which can be obtained using (|A29[) . This result is independent of the actual choice of signals that Bob chooses 
to report as missing. For simplicity, we present the theorem omitting terms that vanish for large M. These terms 
are, however, considered in Appendix lAl 

Theorem III. 2 (WSEE). Let Bob's storage be given by T = AT® store for a storage rate v > 0, J\f satisfying the 
strong converse property flSj and having capacity CV bounded by 

n ( 1 A Pscnt ~-PB.no click +P]3,no click /„% 

x 7 ^sent Pb, click 
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Then Protocol 1 is an (m, A(<5), e{S),p^ err )-weak string erasure protocol with errors with the following parameters: Let 
S G]0, \ — C^f ■ v[. Then the min- entropy rate X(S) is given by 



X(S) — min — 

{r<")}„ m 



^)-M storc -^MSlog(l-^; 



(9) 



where 7^ is the strong converse parameter of M (see U5\) ) and the minimization is taken over all {r^} n such that 
Y,n=i r{n)M{n) < Report, ^store is given by Q), and 

in = y~]°°_y M le ™ t (the number of remaining rounds) , 

Alport = (Pb.ho click ~ Pb no ciick)^ number of rounds dishonest Bob can report missing) , 

R = (i — <5) 1 h ^[ < ' (the rate at which dishonest Bob has to send information through storage) , 

Pb, dick 

for sufficiently large M . The error has the form 

e(S) < 4 exp (-——A- _ . ( P l cnt - p% click + p% click )M) . (10) 

V 512(4 + log i) 2 J 

What kind of channels N : B(H ln ) — > B(H ut) satisfy the strong converse property? It was recently shown 
in [T^ | that all channels for which the maximum a-norm is multiplicative, and which are group covariant, that is 
N(gpg^) = gN(p)g^ for all g £ G where g acts irreducibly on the output space H ou t, satisfy this property. An 
important example of such a channel is the ci-dimensional depolarizing channel given as 

Av(p):=rp+(l-r)~ , (11) 

which replaces the input state p with the completely mixed state I/d with probability 1 — r. Security parameters for 
this channel can be found in [10( for the case of a perfect setup with a single-photon source, assuming no errors nor 
detection inefficiencies. 



2. Limits to security 



Before analyzing in detail concrete practical implementations based on a weak coherent source, and a PDC source, 
we investigate when security can be obtained at all for the d-dimensional depolarizing channel as a function of p\ cnt , 

-Pb no clicks -Pb no click: an d -PbIio click m comparison to the storage parameters r and v. Note that for the security 
parameter s(S) to vanish we need 

Psent — PB.no click + PB.no click > ■ (12) 

Second, we require (in the limit of large M where we may choose S — > 0) that 

„ 1 -Pscnt " Ps,no click + Pj3,no click /-, n 

Ctf r -v<- m , (13) 

Psent ' Pb, click 

where C^/ r is given by [2(| 

C Hr = logd + (r + ^-j log (r + + (d - 1)1^ log ^ . (14) 

In Sections lV Al and IV Bl we provide sample trade-offs between r and v for some typical values of the source parameters, 
and the losses. 

To determine the magnitude of the actual security parameters, we need to evaluate the strong converse parameter 
7^ [jjl]. In the case of the d-dimensional depolarizing channel it can be expressed as [l(| 



7^ (R) := max <j R - log d H — log 

a>l a 1 



+ (d-l) 



(15) 
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For a general definition and discussion on how to evaluate this parameter for other channels see [l(J Qjl . For simplicity, 



we consider here a setup where Bob always gains full information from a multi-photon emission, that is Pg" rl = for 

n > 1. This means that he will never report any such rounds as missing, that is, rW = for n > 1. From (jA29|) it 
follows that 



X(S)> 



v ■ 7' 



M 



-Psent 



click ' PB, 



click 



1 Ml 

Pscnt ' Pb, click 



(16) 



providing the security conditions (|T2|) and (|T3|) are satisfied. In Sections IV Al and IV Bl we plot X(S) for a variety of 
parameter choices for a weak coherent and a PDC source respectively. 



B. Using decoy states 

We now consider a slight modification of the protocol above, where we make use of so-called decoy states as they 
are also used in QKD |2l| - l23j . The main idea consists of Alice randomly choosing a particular setting of her photon 
source according to a distribution P$ over some set of settings S for each state she sends to Bob. One of these settings 
(signal setting) corresponds to the configuration of the source she would normally use to execute the weak string 
erasure protocol above, all others (decoy settings) are used to test the behavior of dishonest Bob. In our setting, the 
effect of using decoy states is that dishonest Bob needs to behave roughly the same as honest Bob when it comes to 
choosing which rounds to report as missing. This enables us to place a better bound on the parameter which 
can lead to a significant increase in the set of detection efficiencies for which we can hope to show security (e.g., for a 
weak coherent source see Section IV A 3[) . and translates into an enhancement of the rate R given by (|A26[) and (|A29[) 
at which the adversary needs to transmit information through his storage, if he wants to break the security of the 
protocol. 

We briefly describe how we make use of decoy states, before turning to the actual protocol. For each source setting, 
Alice can compute the gain, that is, the probability that Bob observes a click. Here we consider only the number of 
rounds M which Alice determines to be valid, and all probabilities are as explained in Section [II] conditioned on the 
event that Alice declared the round to be valid. We can then write the gain of honest Bob when Alice uses setting s, 
averaged over all possible numbers of photons, as 

oo 

Qs — PB, clicks — Pscnt,sPB, click • (^) 

n=0 

Note that Pg k thereby does not depend on the source setting s, even though Bob can gain information about the 
setting s by making a photon number measurement, since not all photon numbers are equally likely to occur for the 
different settings. Yet, since the photon number is the only information that Bob obtains, we can without loss of 
generality assume that his strategy is deterministic and depends only on the observed photon number. By counting 
the number of rounds that Bob reports missing, Alice obtains an estimate of this gain as 

nmcas left, a . . 

Qs = ~mT ■ (18) 

The parameter M s denotes the number of valid rounds in which Alice uses setting s, and Mi e ft, s represents the number 
of such rounds that Bob did not report as missing. For an honest Bob, we have Q™ cas ps in the limit of large M s . 
For finite M s , we conclude that Mi e ft, s lies in the interval [(Qj — $)M a , (Qj + )M S ], except with probability e. In 
the protocol below, Alice will hence abort if M\ e a tS lies outside this interval for any setting s € S. 

From the observed quantities Q™ eas for different settings, Alice can obtain a lower bound on the yield of the single- 
photon emissions following standard techniques used in decoy state QKD [2l| - |23 |. Let us denote this lower bound 

as t. For honest Bob, the yield of single photons is of course just Pb click as honest Bob always reports a round as 
missing if he did not observe a click. For dishonest Bob, placing a bound on this yield corresponds to placing a bound 
on 1 — r-W , which in the limit of large M can be seen as the probability that dishonest Bob does not choose to report 
a round as missing. Hence, we can use decoy states to obtain an estimate for the parameter t^ 1 ) as 

r (1) <l-r, (19) 

even if Bob is dishonest. In Section |Vj we provide an explicit expression for r for the case of a source emitting 
phase-randomized coherent states. 
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Protocol 2: Weak String Erasure with Errors (WSEE) using decoy states 

Outputs: x m e {0, l} m to Alice, (X, z^) e 2^ x {0, 1}^ to Bob. 

1. Alice: Chooses a string x M €r {0, 1} M and basis-specifying string 8 M G_r {0, 1} M uniformly at random. 

2. Bob: Chooses a basis string # M {0, 1} M uniformly at random. He initializes Ai <— 0. 

3. In time slot i = 1, . . . , M: 

1. Alice: Chooses a source setting Sj € 5 with probability Ps(si). Encodes bit xi in the basis given by 0, 
(i.e., as i? Si |a;i)), and sends the resulting state to Bob. 

2. Bob: Measures in the basis given by 8i to obtain outcome xi. If Bob obtains no click in this time slot, 
he records round i as missing by letting Ai <— Ai U {i}. 

4. Bob: Reports to Alice which rounds were missing by sending Ai. 

4'. Alice: For each possible source setting s 6 S, Alice computes the set of missing rounds Ai s = {i € Ai | 
Si = s}. Let M 8 = \{j € [M] | Sj = s}| be the number of rounds sent using setting s. 

5. Alice: For each source setting s G S: if the number of rounds that Bob reported missing does not lie 
in the interval [(p^ no click s - Cb,„o click, J ^ (Pb,„ c iick, s + Cb.uo click, s )^], then Alice aborts the protocol. 
Otherwise, she deletes all bits from x that Bob reported missing, and all bits that correspond to decoy 
state settings s 6 S. Let x m E {0, l} m denote the remaining bit string, and let 8 m be the basis-specifying 
string for the remaining rounds. Let 8 m , and x m be the corresponding strings for Bob. 

Both parties wait time At. 

6. Alice: Informs Bob which rounds remain and sends the basis information 9 m to Bob, and outputs x m . 

7. Bob: Computes X := {i G [m] \ 6i = 9i}, and outputs (X, z' 1 ') := (I, xx). 



We now state the security parameters for this protocol for the case of large M s = M s for each possible source. The 
only difference to the previous statement is that we replace the bound on the rate (|A29I) with the bound obtained by 
bounding as in (IT51) . The parameter M refers to the number of valid pulses coming from the signal setting. The 
decoy pulses are merely used as an estimate, and play no further role in the protocol. However, the probability e to 
make a correctness or security error is increased by e for every interval check Alice does. As she does one check per 
source setting, we get a factor of 1 + \S\ increase in the error probability. 



Theorem III.3 (WSEE with decoy states). Let M = M signa i. When Bob's storage is given by T = N® vMst ° 
storage rate v > 0, with Af satisfying the strong converse property flW , and having capacity C^f bounded by 



for a 



CV • v < 



1 



h\l 
Pb. click 



(20) 



with t < 1 — then Protocol 1 is an (to, \(S), e(5),p^ erT )-weak string erasure protocol with errors with the following 
parameters: Let 8 €]0, \ — Cj^ ■ v\. Then the min-entropy rate X(S) is given by 



X(S) = min — 

{r(»)}„ m 



v ■ 7' 



- ) M s torc - Mcft log (l - Pb' 



(21) 



where 7^ is the strong converse parameter of Af (see (|15[) ) and the minimization is taken over all {rW}„ with 
1 - rW > t such that J2n=i r (n) M(") < M r d cport and 



71=1 



i? 



1 \ 1 - ^ 

2-*) -J*— 

' PB, click 



M storc = pl cnt ■ pT click ■ M 



M 



d 

report 



— (PB,no click ~ -PB.no click)-^ ' 



(22) 
(23) 
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FIG. 5: 1-2 oblivious transfer from fully randomized transfer by sending additional messages given by the dashed lines. 



for sufficiently large M . The error has the form 



s(6) < (1 + ■ 2exp ( - 512(4 + lQgl)2 ■ r pl ent M ) . (24) 



IV. OBLIVIOUS TRANSFER FROM WSEE 



We now show how to obtain oblivious transfer from WSEE. Here we implement a fully randomized oblivious transfer 
protocol (FROT), which can easily be converted into 1-2 oblivious transfer as shown in Figure [SJ We now give an 
informal description of this task, and refer to [To| for a formal definition. 

Definition IV. 1 (Informal). An (£, e)-fully randomized oblivious transfer protocol (FROT) is a protocol between two 
parties, Alice and Bob, satisfying the following properties: 

Correctness: If both parties are honest, then Alice obtains two random strings So, Si £ {0, 1} , and Bob obtains a 
random choice bit C £ {0, 1} as well as Sc- 

Security for Alice: If Alice is honest, then there exists C € {0,1} such that given Sc, Bob cannot learn anything 
about S\—C; except with probability e. 

Security for Bob: If Bob is honest, then Alice learns nothing about C. 



A. Ingredients 

1. Suitable error- correcting codes 

To deal with the bit-flip errors in the weak string erasure we need to augment the protocol of [10] with an additional 
error-correction step as in [25j . That is, Alice has to send some small amount of error-correcting information to Bob. 
The challenge we face is to ensure that security is preserved: Recall that if Bob is dishonest, we assume a worst-case 
scenario where he does not experience any transmission errors and he can perform perfect quantum operations. Hence, 
he could use this additional error-correcting information to correct some of the errors caused by his noisy quantum 
storage. On the other hand, if Alice is dishonest, we have to guarantee that the error-correcting process does not 
allow her to gain any information about the choice bit C . This last requirement can be achieved by using a one-way 
(or forward) error-correcting code in which only Alice sends information to Bob [47]. Let {C n } be a family of linear 
error-correcting codes of length n capable of efficiently correcting p clr ■ n errors. For a fc-bit string x k , error correction 
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is done by sending the syndrome information syn(x k ) to Bob who can then efficiently recover x k from his noisy string 
£ Pert (x k ). For instance, low-density parity-check (LDPC) codes can correct a fc-bit string, where each bit flipped with 
probability p crr , by sending at most 1.2 • h(p eIT ) ■ k bits of error-correcting information |26j |. 



2. Interactive hashing 



Apart from an error-correcting code, the protocol below requires three classical ingredients that need to be imple- 
mented: First, we need to use the primitive of interactive hashing of subsets. This is a classical protocol in which 
Bob holds as input a subset W f C [a] (where a is some natural number) and Alice has no input. Both Alice and Bob 
receive two subsets Wq, Wf C [a] as outputs, where there exists some C £ {0, 1} such that Wjj = W t as depicted in 
Figure [5J Informally, security means that Alice does not learn C, and W[_ c is chosen almost at random from the set 



Alice 



W* C [a] 



Bob 



Interactive Hashing 
of subsets 



W* ,W{ C [a] 



3C e {0,1} s.t. W l c = W* 



FIG. 6: Interactive hashing 



of all possible subsets of [a]. That is, Bob has very little control over the choice of W\_ c . Here we restrict ourselves 
to this definition and refer to (Toj for a formal definition. In order to perform interactive hashing, we describe below 
how to encode the input subsets into a f-bit string. Intuitively, interactive hashing can be done by Alice asking Bob 
for random parities of his t-bit string W . After t — 1 linearly independent queries, there are only two possible strings 
left: one of which is Bob's original input, the other one is pretty much out of his control. A concrete protocol for 
interactive hashing can be found, for instance, in (27j . 



3. Encoding of subsets 



The second ingredient we need is thus an encoding of subsets as bit strings. More precisely, we map t-bit strings 
to subsets using Enc : {0, 1}* —> T, where T is the set of all subsets of [a] of size a/4. Here we assume without loss 
of generality that a is a multiple of 4. The encoding Enc is injective, that is, no two strings are mapped to the same 
subset. Below, we furthermore choose t such that 2* < ( Q " 4 ) < 2 • 2*. This means that not all possible subsets are 
encoded, but at least half of them. We refer to [13, [28| for details on how to obtain such an encoding. 



4- Two-universal hashing 



Finally, we require the use of two- universal hash functions for privacy amplification as they are also used in QKD 29] . 
Any implementation used for QKD may be used here. Below, we use 7Z to denote the set of possible hash functions, 
and use Ext(A, R) to represent the output of the hash function given by R when applied to the string X. 



B. Protocol 



Before providing a detailed description of the protocol, we first give a description of the different steps involved in 
Figure 



Alice 



■ X\ .... , x„ 



Weak string erasure 
with errors 
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of m bits 

Knows bits 

^jS for subset W t 



Interactive Hashing 
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Error-correcting information 

f° r X w t , Imi 



Computes 

C s.t. W£ = W 

Corrects errors to 
obtain X w t 



Picks two-universal 
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Outputs 

50 = Ext(X^yt, i?o) 
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Outputs 

c 
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FIG. 7: Conceptual steps in the protocol for FROT from WSEE. 
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Protocol 3: WSEE-to-FROT 

Parameters: Integers m, (3 such that a := m//3 is a multiple of 4. Set t := a/2. Outputs: (sg, sf ) £ {0, 1}^ x {0, 1}^ 
to Alice, and (c, y e ) £ {0, 1} x {0, 1}* to Bob 

1: Alice and Bob: Execute (m, A, e,p orr )-WSEE. Alice obtains a string x m £ {0, l} m , Bob a set I C [m] and 
a string s = £ Ptstt (xx). If |I| < m/4, Bob aborts. Otherwise, he randomly truncates I to the size m/4, and 
deletes the corresponding values in s. 

We arrange x m into a matrix z 6 M QX( 3({0, 1}), by z^ fc := £fj-_x).0 + j. for (j, k) £ [a] x [/3]. 
2: Bob: 

1. Randomly chooses a string w* G# {0, 1}' corresponding to an encoding of a subset Enc(w') of [a] with 
a/4 elements. 

2. Randomly partitions the m bits of x m into a blocks of j3 bits each: He randomly chooses a permutation 
7r : [a] x [jS\ ~ > [a] x [/J] of the entries of z such that he knows 7r(z) Enc („,t) (that is, these bits are 
permutation of the bits of s). Formally, it is uniform over permutations satisfying the following condition: 
for all (j, k) £ [a] x [/?] and (j', fc') := k), we have (j — 1) • ft + k € 1 if and only if j' £ Enc(w*). 

3. Bob sends 7r to Alice. 

3: Alice and Bob: Execute interactive hashing with Bob's input equal to w 1 . They obtain Wq,w{ € {0,1}' 
with w* £ {wq, w[}. 

4: Alice: Sends error-correcting information for every block in Enc^g) and Enc(w'), i.e., Vj £ Enc(?z;o) U 
Enc(wJ), Alice sends Syn(7r(z)j) to Bob. 

5: Alice: Chooses ro,r\ £r 1Z and sends them to Bob. 

6: Alice: Outputs (s e ,s{) := (Ext(7r(z) Enc(ro t ) , r ), Ext(7r(z) Enc(w * ) , n)). 

7: Bob: Computes c, where w = w c , and 7r(z)E n c(t« t ) from s. Performs error correction on the blocks of 
7r(z) He outputs {c,y e ) := (c,Ext(7r(z) Enc(ti ,t),r c )). 



When using WSEE to obtain FROT, Protocol 3 achieves the following parameters. The proof of this statement 
can be found in Appendix [B] 

Theorem IV. 2 (Oblivious transfer). For any constant uj > 2 and ft > max{67, 256w 2 /A 2 }, the protocol WSEE-to- 
FROT implements an {£,41 ■ 2"^^ + 2e) -FROT from one instance of (m, X,e,p crr )-WSEE 7 where 

LVV w / 8 512w 2 /3 8 / 2 

The parameter w appearing in the theorem above is an additional parameter that we can tune to trade off a higher 
rate of OT, against an error that decays more slowly. Our choice of ui will thereby depend on the error p „: Note that 
for large values of w, we can essentially achieve security as long as A > h(p c „) (see Figure [8]). Of course, this requires 
us to use many more rounds to be able to achieve the desired block size /3, as well as to make the error sufficiently 
small again. Using more rounds, however, may be much easier than to decrease the bit error rate of the channel. 

V. SECURITY FOR TWO CONCRETE IMPLEMENTATIONS 

We now show how our security analysis applies to two particular experimental setups using weak coherent pulses 
or a parametric down conversion source. Unlike in QKD, our protocols are particularly interesting at short distance, 
where one may use visible light for which better detectors exist. 
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FIG. 8: (Color online) Security can be achieved if (p CII ,X) lies in the shaded region, where we chose a very large value of 
uj = 100000. 
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FIG. 9: Experimental setup with phase-randomized weak coherent pulses. The Encoder codifies the BB84 signal information. 
The polarization shifter (PS) allows to change the polarization basis (computational basis + or Hadamard basis x) of the 
measurement as desired. The polarization analyzer consists of a polarizing beam splitter (PB) and two threshold detectors. 
The PB discriminates the two orthogonal polarized modes. 



A. Phase-randomized weak coherent pulses 

1. Experimental setup and loss model 

We first consider a phase-randomized weak coherent source. The basic setup for Alice and Bob is illustrated in 
Figure [9] The signal states sent by Alice can be described as 

Pk = e- li Y j ^\n k ){n k \, (25) 

71=0 

where the signals \n k ) denote Fock states with n photons in one of the four possible polarization states of the BB84 
scheme, which are labeled with the index k. 

On the receiving side, we shall assume that honest Bob uses an active-basis-choice measurement setup. It consists 
of a polarization analyzer and a polarization shifter which effectively changes the polarization basis of the subsequent 
measurement. The polarization analyzer has two threshold detectors, each monitoring the output of a polarizing 
beam splitter. These detectors are characterized by their detection efficiency i] and their dark-count probability Pdark- 
Notice that we include all sources of loss in the system (including channel loss, coupling loss in Alice's and Bob's 
laboratory etc.) in the definition of the detection efficiency rj (48|. For the case of honest Alice and Bob, the overall 
transmittance, 77, is a product, i.e., 77 = r\fir\ c hannei r \B T lD where tja is the transmittance on Alice's side, 77 c /i ann e/ is the 
channel transmittance, r]B is the transmittance on Bob's side (excluding detection inefficiency) and rjD is the detector 
efficiency defined previously in the introductory section. Recall, from the introductory section, that t\d is about 10% 
for telecom wavelengths and 70% for visible wavelengths. 

Now, for some practical set-ups (such as short-distance free-space with visible wavelength), it is probably techno- 
logically feasible to achieve rjArjchanneiVB of order 1, say 50 percents. In more detail, in some set-ups (e.g. with a 
weak coherent state source), Alice may compensate for her internal loss by characterizing it and then simply turning 
up the intensity of her laser. In those cases, she may effectively set t\a — 1- Now, for short-distance applications, 
Vchanneh can be made of order 1. All that is required to achieve ijAVchannei rjB of order 1 is to reduce Bob's internal 
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loss, thus boosting tjb to order 1. For simplicity, we consider that both detectors have equal parameters. Since we 
absorb all terms into the detector inefficiency, we simply refer to this as to 

As in QKD [3(|, the fact that each signal state is phase-randomized is an important element for our security analysis. 
It allows us to argue that, without loss of generality, a dishonest Bob always performs a quantum nondemolition 
(QND) measurement of the total number of photons contained in each pulse sent by Alice. Hence, we can analyze 
the single-photon pulses separately from the multi-photon pulses, which makes an important difference for Bob's 
cheating capabilities. In Appendix C, we compute all relevant probabilities to evaluate security in this scenario. 
These probabilities are summarized in the following Table HI For completeness, we explicitly state some parameters 
which we need in order to evaluate the error probability pg . These parameters are: the probability that Bob makes 
an error due to dark counts alone (pB,D,err)i the signal alone (pb.s.cit), and the probability that he makes an error 
due to dark counts and the signal (pb,ds,cit), as well as the probability that a signal alone produces no click in Bob's 

Side (PB.S.no click)- 



Parameter 


Value 


Psrc 




Pscnt 


Psrc 


h\l 

Pb, click 


Tj + (1 - 7?)pdark(2 - Pdark) 


f^B.crr 





r, d 

PB,no click 




„ h 

PB,S,no click 




PB,no click 


PB,S,no click — Pb,S,iio clickPdark(2 — Pdark) 


PB,D,err 


Pdark(l - Pdark) + Pdark/2 


PB,DS,crr 


(! -PB,S,no click) ((1 - Gdct) 2 ^ + e d et -Pdark(| - Pdark)) 


PB,S,crr 


edct(l — PB,S,no click) 


PB,crr 


PB,S,crr(l -Pclark(2 — Pdark)) + PB,S,no clickPB,D,crr +PB,DS,crr 



TABLE I: Summary of the probabilities for phase-randomized weak coherent pulses 



2. Security parameters 

To evaluate the probabilities above we assume that pdark = 0.85 * 10~ 6 , and use edet = 0.033 as a very conservative 
number on a distance of 122 km 31]. 

a. Weak string erasure We now investigate the security of (to, A, e,p e rr)-weak string erasure, when using a weak 
coherent source. Before examining the weak string erasure rate A that one can obtain for some set of source parameters, 
we first consider when security can be obtained in principle (i.e., when (|12p and (|13p are satisfied) as a function of 
the mean photon number fj,, the detection efficiency to the storage rate v and the amount of storage noise. Our 
examples here focus on the depolarizing channel with parameter r as defined in (fTTj) . First of all, Figure [TU] tells us 
when security is possible at all, independently of the amount of storage noise. We then examine a particular example 
of storage noise and storage rates in Figure [TTJ This shows that even for low storage noise, we can hope to achieve 
security for many source settings. Note that this plot is merely an example, and of course does not rule out security 
of other forms of storage noise or other storage rates. The following plots have been made using Mathematica, and 
the corresponding files used are available upon request. 

We now consider when conditions (fT2"]) and (fTB"]) can be satisfied in terms of the amount of noise in storage given 
by r, and the storage rate v for some typical parameters in an experimental setup. Figure [T2l shows us, that there is 
a clear trade-off between r and v dictating when weak string erasure can be obtained from our analysis, but typical 
parameters of the source move us well within a possible region. 

Now that we have established that secure weak string erasure can be obtained for a reasonable choice of parameters, 
it remains to establish the weak string erasure rate A. This parameter cannot be read off explicitly, but is determined 
by the optimization problem given in (|16[) . To gain some intuition about the magnitude of this parameter we plot it 
in Figure [13] for various choices of experimental settings, and a storage rate oiv— 1. This shows that even for a very 
high storage rate, there is a positive rate of A for many reasonable settings. Of course A can be larger if we were to 
consider a lower storage rate. 
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FIG. 10: (Color online) Security possible for (77, /*) in the 
shaded region where (| 12f) is fulfilled. Our proof does not 
apply to parameters in the region below the curve. For 
the shaded region above the curve, additional conditions 
such as (|13p are checked in the following Figure 1111 



FIG. 11: (Color online) Security possible for (n, fi) in the 
upper enclosed regions for a low storage noise of r = 0.9 
and storage rates v of 1/2 (dashed red line), 0.45 (dot- 
ted green line), 0.35 (dot dashed blue line), 0.25 (large 
dashed magenta line), 0.15 (solid black line) (satisfy- 
ing (HU and (fT3l). 
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FIG. 12: (Color online) Security for (r, v) below the lines for /1 = 0.3 and detection efficiencies 77: 0.7 (solid black line), 0.5 
(large dashed magenta line), 0.4 (dot dashed blue line), 0.3 (dotted green line), 0.2 (dashed red line). 



To gain further intuition into the role that the different parameters play in determining the rate A, we investigate 
the trade-off between A and the detection efficiency r\ in Figure [T4J and the trade-off between A and the mean photon 
number /_/, in Figure [15] for some choices of storage noise r and storage rate v. 

b. 1-2 oblivious transfer We can now consider the security of (£, e)-oblivious transfer based on weak string erasure 
implemented using a weak coherent source. The parameter which is of most concern to us here is the bit error rate 
Pen = Pb c-n I (1 — Pb no click)- As we already saw in Figure [8j this error cannot be arbitrarily large for a fixed value 
of the WSE rate A. In a practical implementation, this translates into a trade-off between the bit error p clT and the 
efficiency r\ as shown in Figure 1161 where for now we treat p err as an independent parameter to get an intuition for 
its contribution. 

Of course p err is not an independent parameter, but depends on /_t, 77 and most crucially on edct- Figure [TTl shows 
how many bits t of 1-2 oblivious transfer we can hope to obtain per valid pulse M for very large M. The parameter 
H has thereby been chosen to obtain a high rate when all other parameters were fixed. We will also refer to i/M as 
the oblivious transfer rate. As expected, we can see that this rate does of course depend greatly on the efficiency 77, 
but also on the storage noise and on the storage rate. 



3. Parameters using decoy states 

We now analyze the scenario where Alice sends decoy states. In particular, let us consider a simple system with 
only two decoy states: vacuum and a weak decoy state with mean photon number fi. The mean photon number of 
the signal states will be denoted as /1. Moreover, we select fi < /j. Without loss of generality, we hence use labels 
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FIG. 13: (Color online) The WSE rate A in terms of the amount of depolarizing noise r where fj, — 0.3, and a variety of detection 
efficiencies r\: 0.7 (solid black line), 0.6 (dashed red line), 0.5 (dotted blue line), 0.4 (dot dashed yellow line), 0.3 (large dashed 
magenta line) and 0.2 (larger dashed turquoise line). 





FIG. 14: (Color online) The WSE rate A in terms of the FIG. 15: (Color online) The WSE rate A in terms of the 

detection efficiency rj for r = 0.8 and storage rates v: 1/5 mean photon number \i for r = 0.8 and v as in Figure [141 
(solid blue line), 1/4 (dashed red line), 1/2 (dotted green 
line), 2/3 (dot dashed magenta line). 

S = {vac, fi, /i} for the possible settings of the source. Furthermore, we assume that Alice chooses one of these settings 
uniformly at random, that is Ps(s) = 1/3 for all s £ 5. This may not be optimal, but due to the large number of 
parameters we will limit ourselves to this choice. Since p" c = p™ ent for the case of a phase-randomized weak coherent 
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FIG. 16: (Color online) Security for (p cr r, Tj) in the shaded region for example parameters r — 0.4, v = 1/5 and large u = 100000. 
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FIG. 17: (Color online) The rate t/M of oblivious transfer for a large number of valid pulses M for parameters u) = 1000 and 
(H = 0.15, tj = 0.3, r = 0.1, v = 1/10, solid blue line), (/x = 0.4, rj = 0.7, r = 0.1, v = 1/10, dashed red line), (fi = 0.15, rj = 0.7, 
r = 0.7, v = 1/4, dotted magenta line), {p, = 0.2, 77 = 0.7, r = 0.4, = 1/3, light blue line). 



source, we can write for honest Bob 



<&c=J>Sck> (26) 

00 „ n 



n 

n=0 



= e " E ^Kiick ■ (28) 

(29) 

For the typical channel model, that is, if Bob were honest, we furthermore have 

PB.click = 2pdark(l - Pdark) + Pdark , (30) 

PBl'c l li ck = l-(l-PB!c 1 ick)(l-^- (31) 

(32) 

For simplicity, when calculating the value of the parameter Pb click we nave only considered the noise arising from 
dark counts in the detectors. In a practical situation, however, there might be other effects like stray light that also 
contribute to the final value of click - Still, from her knowledge of the experimental setup, Alice can always make a 

reasonable estimate of the maximum tolerable value of p lick such that the protocol is not aborted and the analysis is 
completely analogous. Furthermore, we have assumed that the losses come mainly from the finite detection efficiency 
of the detectors, since the communication distance will be typically quite short. 

To estimate a lower bound on the yield of single photons we follow the procedure proposed in [24[. Note, however, 
that many other estimation techniques are also available, like, for instance, linear programming tools [32j. In the 
asymptotic case we obtain [24j 

(1 - r«) > f with f := -A^ (q<^ ^~Qt c ) , (33) 

where we used the fact that for honest Bob PR click = — r ^ m * nc umi t of large M, as Bob will decide to report 
any round as missing that he did not receive. In Protocol 2 we have that conditioned on the event that Alice does 
not abort the protocol 

GET G [(Qvac ~ Co), (QL C + Co)] , (34) 

Q;" cas e [(Q^-Ca),(Qa + Ca)] . (35) 
Q^e[(Q£-C M ),(Qj: + Cp)] , (36) 
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where Co = v / ln(2/e)/(2M ), (p, = A /ln(2/e)/(2M A ) , and C M = A/ln(2/e)/(2M M ). We can hence bound 

(l-rW)>r withr:= 77 ^f(Q|-2C A )e^-(Q^ + 2C M )e^-^^(Qtc + 2Co)) , (37) 

which in the limit of large Mo, and gives us ([53"]) . The factor 2 in the equation ([57)1 above stems from the 
fact that Alice still accepts a value at the upper (or lower) edge of the interval such as + C,^. In this case however, 

the real parameter Q 1 ^ is possibly as high as Q 1 ^ + 2( ll . 



4- Weak string erasure 



For direct comparison, we now provide the same plots as given in Section IV A 2 a[ where for simplicity we will 
always choose /t = 0.05. Of course, this may not be optimal, but serves as a good comparison. As expected using 
decoy states limits dishonest Bob from reporting too many single-photon rounds as missing, thereby allowing us to 



place a better bound on 



This fact greatly increases the range of parameters i] and /i for which we can hope to 



show security as shown in Figures [18] and [HI We also observe in Figure [20] that the detection efficiency 77 plays almost 
no role in determining for which values of storage noise r and storage rate v we can obtain security. This is true for 
all values of fi < 0.4 we have chosen to examine. 





FIG. 18: (Color online) Security possible for (77, p) with 
decoy states in the shaded region where (|12[l is fulfilled. 
Additional conditions such as (I13|l are checked in the fol- 
lowing Figure [19] 



FIG. 19: (Color online) Security possible for (77, /j) with 
decoy states in the upper enclosed regions for a low stor- 
age noise of r = 0.9 and storage rates 1/2 (dashed red 
line), 0.45 (dotted green line), 0.35 (dot dashed blue line), 
0.25 (large dashed magenta line), 0.15 (solid black line), 
(satisfying flU) and (13)). 
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FIG. 20: (Color online) Security for (r, v) with decoy states below the lines for /j, — 0.3 and detection efficiencies r\: 0.7 (solid 
black line), 0.5 (large dashed magenta line), 0.4 (dot dashed blue line), 0.3 (dotted green line), 0.2 (dashed red line). 



It is however interesting to observe that the magnitude of the final weak string erasure rate A changes only slightly 
when we use decoy states. This is due to the strong converse parameter (|15p which determines A as given in (|16[) 
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and which is not necessarily large for larger values of R. This is witnessed by Figure [2TJ Still, we again observe that 
we may use much lower values of rj as shown in Figure [52] and a much higher mean photon number fj, as shown in 
Figure [231 
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FIG. 21: (Color online) The WSE rate A for decoy states in terms of the amount of depolarizing noise r where n — 0.3, and 
a variety of detection efficiencies rj: 0.7 (solid black line), 0.6 (dashed red line), 0.5 (dotted blue line), 0.4 (dot dashed yellow 
line), 0.3 (large dashed magenta line) and 0.2 (larger dashed turquoise line). 



x r 




FIG. 22: (Color online) The WSE rate A for decoy states FIG. 23: (Color online) The WSE rate A for decoy states 

in terms of the detection efficiency rj for r — 0.8 and in terms of the mean photon number ji for r = 0.8 and v 

storage rates v: 1/5 (solid blue line), 1/4 (dashed red as in Figure [22] 
line). 



5. 1-2 oblivious transfer 

Again, we also consider the security of (£, e)-oblivious transfer based on weak string erasure implemented using a 
weak coherent source and decoy states as above. We first observe that decoy states soften the trade-off between the 
bit error p mT and the efficiency rj as shown in Figure 1241 where we for now treat p crr as an independent parameter to 
get an intuition for its contribution. Figure [55] now shows how many bits £ of 1-2 oblivious transfer we can hope to 
obtain per valid pulse M for very large M, when using decoy states. Again, we see that using decoy states softens the 
effects of 77. Note that we again count only the valid pulses, which here corresponds to all pulses sent with the signal 
setting. As in QKD, it may be possible to use the remaining pulses which one could incorporate in our analysis given 
in the appendix. However, for clarity of exposition, we have chosen not to make use of such pulses in this work. 

B. Parametric down-conversion source 

1. Experimental setup and loss model 

Now we consider that Alice uses a pumped type-II PDC source. The states emitted by this type of source can be 
written as [33| 

00 

|*src>AB - VPSTMaB, (38) 

n=0 
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FIG. 24: (Color online) Security for (p err ,r;) with decoy states in the shaded region for example parameters r — 0.4, u — 1/5 
and large u = 100000. 
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FIG. 25: (Color online) The rate £/M of oblivious transfer with decoy states for a large number of valid pulses M for parameters 
U! = 1000 and (fi = 0.2, 77 = 0.3, r = 0.1, v = 1/10, solid blue line), (fi = 0.3,77 = 0.7, r = 0.1, v = 1/10, dashed red line), 
(fi = 0.3, 77 = 0.7, r = 0.7, v = 1/4, dotted magenta line), (fj, = 0.3, 77 = 0.7, r = 0.4, v = 1/3, light blue line). 



where the probability distribution p™. c is given by 

p n (»+l)W2)" 

ftrc (1 + W2))"+ 2 ' 1 J 

The parameter /i/2 is directly related to the pump amplitude of the laser resulting in a mean photon pair number 
per pulse of /x, and 

\$n)AB = 'V' —;==\n - m,m) A \m,n- m) B . (40) 
^— ' V « + 1 

m— 

Here we have used the computational basis on each side. Each signal state \<& n )AB contains exactly 2n photons; n of 
them are measured by Alice and the other n are measured by Bob, as depicted in Figure US] We furthermore choose 
77 as in the case of a weak coherent source. That is, since 77A??channei?7B = 1 we simply write 77 = r]r> for both parties. 
The dark count rate is again denoted by Pdark- 

An important difference between the setup using a PDC source and the one using a weak coherent pulse source, is 
that Alice herself can (with some probability) discard a round if she concludes no photon — or too many photons — have 
been emitted. These rounds can be safely discarded by herself, and thus do not contribute to the protocol any further. 
We will refer to the remaining pulses as valid. To compare the two approaches more easily, we will assume that in the 
case of a PDC source, we consider only the valid pulses. That is, the parameter M in the WSE protocol corresponds 
to the valid pulses, and not to all pulses emitted by Alice. It is certainly debatable whether this is a fair comparison, 
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FIG. 26: Experimental setup with a PDC source. Alice and Bob measure each output signal by means of an active BB84 
measurement setup, like the one described in Section W A II 



Parameter 



Value 



Psrc 



M /(l + W2)) 3 



Pscnt 



Pb, click 



77 + (1 - 77)pdark(2 - Pdark) 



Pfl.crr 



(fC27|) 



,no click 



Pscnt, see ([C2T| 



Pb.S.iio click 



(fC23|) 



Pb ,no click 



PB,S,no click 



clickPdark (2 - Pdark) 



PB,D,crr 



Pdark(l ~ Pdark) + Pdark/2 



PB,DS,. 



(1C26)) 



PB.S.crr 



|C24)| 



PB.crr 



Pb,s,. 



r(l -Pdark(2 - Pdark)) + PB,S,no clickPB,D,crr + PB. 



DS.crr 



TABLE II: Summary of probabilities for parametric down-conversion source 



but since M is the parameter which is relevant to the security of the protocol, we choose to consider the final rates 
as a function of M. 

The setting of a PDC source is slightly more difficult to analyze, but can lead to better rates £/M than those 
arising from a weak coherent source, where, like before, I is the number of bits of oblivious transfer we obtain and 
M is the number of valid pulses. The reason for this improvement is two-fold: First, from her measurement results, 
Alice can (with some probability) estimate how many photons have been emitted each given time. This means that 
we are no longer restricted to tuning the source such that the number of multi-photon emissions is too low, but can 
permit for a larger variation by relying on Alice to filter out the unwanted events. Second, a multi-photon emission 
does not provide dishonest Bob with full information about the signal state sent by Alice. In this scenario we need to 
consider the probability of success for dishonest Bob when a certain number of photons have been emitted which is 
given by Claim [CTTl in the appendix. Table [TTI again summarizes the probabilities we need to know in order to evaluate 
security. Since some expressions can be rather unwieldy for the case of a PDC source, we will sometimes refer to the 
corresponding equation in the appendix. 



2. Security parameters 

a. Weak string erasure We now investigate the security of (m, A, e,p crr )-weak string erasure, when using a PDC 
source. For easy comparison, we will consider exactly the same plots as before, where however we sometimes choose 
a different value for the mean photon number which seemed more useful for this source. For simplicity, we will also 
consider a setting where we give all the information encoded in multi-photons to dishonest Bob for free, i.e., we 
consider Pg n e „ = 0, which clearly overestimates his capabilities as we see in Claim [C~T1 Again, we first consider when 
security can be obtained in principle (i.e., when (|12j) and ()13[) are satisfied) as a function of the mean photon number 
fj,, the detection efficiency rj, the storage rate v and the amount of storage noise, where our examples here focus on the 
depolarizing channel with parameter r as defined in Figure [57] thereby tells us again when security is possible 

at all, independently of the amount of storage noise. As before, we then examine a particular example of storage 
noise and storage rates in Figure that even for low storage noise, we can hope to achieve security for many source 
settings. 
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FIG. 27: (Color online) Security possible for (77, /*) in the 
shaded region where (| 12f) is fulfilled. Our proof does not 
apply to parameters in the region below the curve. For 
the shaded region above the curve, additional conditions 
such as (|13p are checked in the following Figure 1281 
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FIG. 28: (Color online) Security possible for (n, fi) in the 
upper enclosed regions for a low storage noise of r = 0.9 
and storage rates 1/2 (dashed red line), 0.45 (dotted 
green line), 0.35 (dot dashed blue line), 0.25 (large dashed 
magenta line), 0.15 (solid black line), (satisfying (|12p 
and Q3J). 



Second, we consider again when conditions (IT21 and (fT3")l can be satisfied in terms of the amount of noise in storage 
given by r, and the storage rate v for some typical parameters in an experimental setup in Figure 1291 It is interesting 
to note that the efficiency 77 plays a much more prominent role when using a PDC source. This comes from the fact 
that Alice herself also uses a detector of efficiency r\ to post-select some of the pulses. 
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FIG. 29: (Color online) Security for (r, v) below the lines for /1 = 0.3 and detection efficiencies 77: 0.7 (solid black line), 0.5 
(large dashed magenta line), 0.4 (dot dashed blue line), 0.3 (dotted green line), 0.2 (dashed red line). 




Yet, we conclude that secure weak string erasure can be obtained for a reasonable choice of parameters, so it remains 
to establish the weak string erasure rate A by solving the optimization problem given by (fT6|) . Figure [30] gives us A 
for various choices of experimental settings, and a storage rate of v = 1. This demonstrates that even for a very high 
storage rate, there is a positive rate of A for many reasonable settings. 

The trade-off between A and the detection efficiency 77 given in Figure [2U is quite similar to what we observed in 
the case of a weak coherent source. On the other hand, the trade-off between A and the mean photon number /1 in 
Figure I3U shows that having a low mean photon number seems more significant. Recall, however, that we have for 
simplicity assumed that we give all multi-photons to Bob for free which greatly overestimates his capabilities when 
using a PDC source. These parameters could thus be improved when including multi-photons. 

b. 1-2 oblivious transfer We can now consider the security of (£, e)-oblivious transfer based on weak string erasure 
implemented using a PDC source. In Figure I33[ we first examine the trade-off between an independently chosen bit 
error rate p clT and the efficiency 77, which is similar to what we observe for the case of a weak coherent source. 

Figure [M] now shows how many bits £ of 1-2 oblivious transfer we can hope to obtain per valid pulse M for very 
large M. This is much higher than what we observe for the case of a weak coherent source, but note that in all plots 
we only consider the valid pulses M. For a weak coherent source, this is equal to the actual number of pulses emitted 
as Alice does not post-select. However, for the case of a PDC source, Alice can (with some probability) discard 
rounds in which no photon has been emitted. This comparison is arguably unfair, but since M is the parameter that 
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FIG. 30: (Color online) The WSE rate A in terms of the amount of depolarizing noise r where fj, — 0.3, and a variety of detection 
efficiencies r\: 0.7 (solid black line), 0.6 (dashed red line), 0.5 (dotted blue line), 0.4 (dot dashed yellow line), 0.3 (large dashed 
magenta line) and 0.2 (larger dashed turquoise line). 




FIG. 31: (Color online) The WSE rate A in terms of the 
detection efficiency r\ for r = 0.8 and storage rates v: 1/5 
(solid blue line), 1/4 (dashed red line), 1/2 (dotted green 
line), 2/3 (dot dashed magenta line). 



FIG. 32: (Color online) The WSE rate A in terms of the 
mean photon number \x for r = 0.8 and v as in Figure IST1 



is relevant to the security of our protocol, we chose to use the number of valid pulses, instead of the number of all 
pulses. 



VI. CONCLUSIONS AND OPEN QUESTIONS 

We have shown that security in the noisy-storage model [H, [13] can in principle be obtained in a practical setting, 
and provided explicit security parameters for two possible experimental setups. Our analysis shows that the protocols 
of [Hi are well within reach of today's technology. 
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FIG. 33: (Color online) Security for (perr, J?) in the shaded region for example parameters r — 0.4, v = 1/5 and large uj = 100000. 
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FIG. 34: (Color online) The rate i/M of oblivious transfer for a large number of valid pulses M for parameters fi = 0.05, 
u = 1000 and (77 = 0.3, r = 0.1, v = 1/10, solid blue line), (77 = 0.7, r = 0.1, v = 1/10, dashed red line), (77 = 0.7, r = 0.7, 
v = 1/4, dotted magenta line), (77 = 0.7, r = 0.4, v = 1/3, light blue line) 

. Note that the scaling of this plot is different than for the WCP source with and without decoy states. 



We have been mostly focusing our attention on short-distance (in the order of a few meters) applications. For this 
range, it is an interesting experimental challenge to construct small handheld devices which can be used to implement 
these protocols. Nonetheless, in the future it might be interesting to study the curve between the rate and the distance 
of secure WSEE (in a similar way as the key rate versus distance curve in QKD). Such a curve will allow us to see 
if our protocols can be applied in a local area network (LAN) or metropolitan area network (MAN). Note that for 
medium-distance (say order 10km) applications, our protocol may still work. For instance, standard telecom fiber has 
a channel loss of about 0.2dB/km at telecom wavelength (i.e. 1550nm) So, 10km translates to only 2dB channel loss, 
which seems quite manageable! 

Many important theoretical (see [Io| ) as well as practical issues remain to be addressed. As in quantum key 
distribution (QKD), we have assumed that all experimental components behave as we expect them to. Hence, we 
have not considered any practical attacks such as exploiting detectors that are blind above a certain threshold [34j . 
which is outside the scope of this work. Most importantly however, it is certaintly possible to improve the parameters 
obtained here. These improvements can come from theoretical advances [Io| , as well as an exact optimization of all 
parameters for a particular experimental setup. Furthermore, in the case of parametric down conversion, for example, 
we have not made use of the fact that Bob cannot gain full information from multi-photon emissions, which leads to 
an increase in rates. Similarly, when using decoy states, one could make use of pulses emitted using a decoy setting 
in the protocol. This requires a careful analysis of weak string erasure for different photon sources analogous to the 
one presented in the appendix. Nevertheless, we hope that this analysis paves the way for a practical implementation 
of protocols in the noisy-storage model. 
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Appendix A: Proof of security: WSEE 

Here we show how the security proof of [Io| can be modified to apply in the practical settings considered in this 
paper. To this end, we first provide a more formal definition of WSEE. 

Definition A.l. An (to, A, e,p orr )-weak string erasure protocol with errors (WSEE) is a protocol between Alice and 
Bob satisfying the following properties, where £ Porr is defined as in §5§ : 

Correctness: If both parties are honest, then the ideal state o , x^i£ Pcii (x x ) * s defined such that 

1. The joint distribution of the rn-bit string X m and subset X is uniform: 

O-X^T = T {0jl}m ® T 2 [m] , (Al) 

2. The joint state pab created by the real protocol is e-close to the ideal state: 

PAB ~e 0- X ™I£ Pm (X x ) ■ (A2) 

where we identify (A, B) with (X m ,X£ PeTl (Xx)) ■ 
Security for Alice: If Alice is honest, then there exists an ideal state ox m B' such that 

1. The amount of information B' gives Bob about X m is limited: 

— U 00 (X m \B') a > A (A3) 

TO 

2. The joint state pab' created by the real protocol is e-close to the ideal state: 

ax^B' ~e PAB' (A4) 

where we identify (X m ,B') with (A,B'). 

Security for Bob: If Bob is honest, then there exists an ideal state o~A>x m x ' w ^ lere A" 1 € {0, l} m andT C [m] such 
that 

1. The random variable I is independent of A'X m and uniformly distributed over 2^ m h 

a A'X^I = ® A' X m ® T 2M ■ ( A5 ) 

2. The joint state pa'b created by the real protocol is e-close to the ideal state: 

PA'B » e ° A . x£patt (x x ) ( A6 ) 

where we identify (A' , B) with (A' ,I£ Pbii (Xz)). 

We study Protocol 1, i.e., without the use of decoy states. The case of decoy states is analogous, where we obtain 
a different bound in (|A19I) . as discussed in Section fill B[ The analysis is essentially the same in both cases, only we 
bound certain parameters in a different way . The general security evaluation of correctness and the case when Bob is 
honest follows the same arguments as in [10( . It is clear by construction that an honest Bob reports enough rounds so 
that Alice does not abort except with probability e and hence the real output states are at most e-far from the ideal 
states. 

From now on we concentrate on the situation where Alice is honest, but Bob might try to cheat. Our analysis 
contains two steps. We first consider single-photon emissions, which we analyze as in (Io| . taking into account that 
Bob may report some additional single-photon rounds as missing. Second, we consider multi-photon rounds. The 
main difficulty arises from the fact that Bob may report up to 

^max = (PB,no click + Cb,iio click)^ (A7) 

of the M rounds as missing, where he himself can choose which rounds to report. First of all, note that we can 
assume that even a dishonest Bob always reports a round as missing if he receives a vacuum state. By the same 
arguments as in Section |TT] we have that the number of rounds where Bob observes no click lies in the interval 
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M,no dick " C ciick)^, (p B ,no click + C^no ciickW (i <no click = V^/eV^M), except with probability e. 
Here, we make a worst-case assumption that the number of rounds where dishonest Bob observes no click is given by 

^nc = (PB,no click — Cb.iio click) ; (-A-8) 

and he can thus report up to 

•^report = ^max ~ ^nc = (pB.no click — PB,no click + CB.no click + Cb.iio click) ) (A-9) 

rounds of his choice to be missing. Let M*-™) denote the number of rounds corresponding to an n-photon emission, 
let denote the fraction of n photon rounds that dishonest Bob chooses to report as missing, and let = 
(1 — r( n ))M(") denote the number of n photon rounds that dishonest Bob has left. Note that in the limit of large M 
we have = p™ nt M. Clearly, we must have that 

oc 

£V n >M( n > <M r rf oport , (A10) 

n=l 

or Alice will abort the protocol. 



1. Single-photon emissions 

Single photons are desirable, since they correspond to the idealized setting analyzed in [l(| where Alice does indeed 
send BB84 states. Clearly, in the limit of large M, we expect roughly pl ent M single-photon rounds. However, since 
Bob may choose to report single-photon rounds as missing, we have to analyze how many rounds still contribute to 
our security analysis. The analysis of [loj links the security to the rate at which Bob has to send classical information 
through his noisy storage channel. In order to determine this rate, we first investigate the setting where he is not 
allowed to keep any quantum state. 

Let denote the substring of X M that corresponds to single-photon emissions. In pj| the rate at which 

Bob needs to send information through his noisy-storage channel depends on an uncertainty relation using post- 
measurement information. This uncertainty relation provides a bound on the min-entropy that Bob has about X^> 
given a classical measurement outcome K, and the basis information he obtains later on. We are thus interested in 
the min-entropy 

H 00 (xW|^ 1 )eW) p --iogP gucss (xW|x( 1 )e( 1 )) , (Aii) 

where we use and to denote Bob's classical information and the basis information corresponding to the 
single-photon rounds respectively and P gU css is the probability that Bob guesses the string X^> maximized over all 
choices of measurements anticipating his post- measurement information (4l| . Important for us is the fact that 
since Alice picks one of the four BB84 encodings uniformly at random in each time slot, the initial state 

M d) 

PxWQWew = (^) Px (1) Q ll> e ll) > (A12) 
j'=i 

has tensor-product form, and it follows from [4l[ together with Q that also the state 

M d) 

Pxwkwbw = DO P x {1) k {1) ' (A13) 

3 3 3 

3 = 1 

is a tensor product, that is, Bob's best strategy to guess X^ purely with the help of classical information has 
tensor-product form. It is important to note that this does not mean that Bob does indeed perform a tensor-product 
attack in general. It merely states that with respect to the uncertainty he has about X^ given only his classical 
information and the basis information if he kept no quantum computation, his best attack would be a tensor-product 
attack. And hence for any other classical information that he may obtain from his actual attack in the protocol, this 
uncertainty is only going to be greater. 

We can now use the fact that the min-entropy of a tensor- product state is additive [8j , to conclude that the min- 
entropy that Bob has about X^- ' given and eW is thus a min-entropy per bit, which allows us to compute the 
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remaining min-entropy if Bob reports some of the single-photon rounds as missing. More precisely, if X^ t is the 
substring of X M corresponding to the single-photon rounds that Bob does not report as missing, we know from the 
uncertainty relation of [12j and a purification argument that 

where K^ t and SSL correspond to the classical and basis information respectively for the remaining single-photon 
rounds, and 

e = cxp M icft . (A15) 

P \ 32(2 + logi)2y ^ > 

To determine the security as a whole, we of course need to take into account that dishonest Bob also holds some 
quantum information about xj^, besides his classical information. We adopt the notation of (Toj and write 

PxQ e (1) kwhq^) = ; H P K \x= x ,e=e{k) \x) (x\®\G){6\®\h){k\® F{Q xek ) , (A16) 

left loft * (2 * i«ft x „ v — ^ s v ' 

k^fc Alice Bob Bt 1 ) 

where Bob holds B^> = Q^ t K^J 7 (Qi n ), and Cxek € B(Qi n ) is the state entering Bob's quantum storage when Alice 
chose x and 0, and Bob already extracted some classical information k. Here, K^- 1 ' includes all of Bob's classical 
information, and depending on Bob's attack may not have tensor-product form. Nevertheless, we know from 
that (|A14[) tells us at which rate cheating Bob has to send information through his storage channel T for any attack 
he conceives. 



a. General storage noise 



In particular, we can now make use of the uncertainty relation (|A14|) together with the analysis of [T(| Lemma 2.2 
and Theorem 3.3] to obtain that for single-photon rounds we have that for any attack of dishonest Bob 



HL(^l©lMeflW (1) )) > -log^c 



5 M, 



(i) 

left I > 



for 



e = 2 cxp — 



(<V4) 2 



32(2 + log(4/«J)) ; 



• M 



(i) 

left 



Note that we have from (|A10[) that 



r (i) < 



PB,no click PB.no click + Cb, 



S>B.: 



no click ' SB, no click 



y sent Sscnt 



Cse: 



and hence 



MW = (l-rW)MW 

' PB,no click — ^B.no click + Cs.no click + S*B,no click 



> M 1 - 



which in the limit of large M gives us 



n 1 - C 1 

l sent Ssent 



tPscnt Csent) 



■Wlift — ^(Pscnt + PB,no click ~~ Pb.iio click) 



(A17) 
(A18) 

(A19) 

(A20) 
(A21) 

(A22) 



Since A 1 * 1 is chosen by dishonest Bob and hence is unknown to Alice, we bound e for any strategy of dishonest Bob as 
( (f5/4) 2 



e < 2 exp ■ 



32(2 + log(4/£))s 



PB,no click £*B,no click Cb.iio click + Cjlno click 



y sent Sscnt 



{Plant ~ CentW 



(A23) 

In the case of decoy states, we just obtain a better bound in (|A19[) . where the remaining security analysis is analogous. 
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b. Tensor-product channels 

Of particular interest is the case where Bob's storage noise is of the form JF = A/"® store where v is the storage rate, 
M s tore is the number of bits we count to determine Bob's storage, and M obeys the strong converse property [l9j . 
As outlined earlier, we assume that the number of qubits that determines Bob's storage size is as in the idealistic 
setting of given by the number of single-photon emissions that we expect an honest Bob to receive for large M, 

i.e., A/store- 

From the strong converse property of J\f follows that 

- log p£T Mat ° r ° (Mstorc-R) > v ■ i M {Rlv) Af store , (A24) 

where ^{R/v) > for CV ■ v < R and CV is the classical capacity of the channel N [l9j]. To achieve security in this 
setting we hence want to determine R such that 



1 



£ - 6 ) M llft = R ■ M ^ro , (A25) 



which gives us 



R=(l- S ) (1 Clcnt) f ° r > ° ' (A26) 

^ ' Psent ' Pb, click 

and R = otherwise, which for large M becomes 

/l \ 1- rW 

R ={-2- s )7^- (A27) 

v 7 -^B, click 

Whenever \. , > 0, note that R can be significantly larger than 1/2 due the difference between and M siOTe . 

We can now use (|A19|) to bound R as 



2 

which for large M is just 



R> ( S I max 



1 Pb .no click Pb ,no click + Cb ,no click + Cb .no click 

' ~h\l ~i h\l 

Pb, click Pscnt ' Pb, click 



(A28) 



q Psent PB,no click + Pl3,no click 



1 h\l 
Pscnt ' Pb, click 



(A29) 



Summarizing, we have that for any strategy of dishonest Bob 



Koixll^K^TiQ^)) > » ■ ( - ] M stme . (A30) 



2. Multi-photon emissions 



It remains to address the case of multi-photon emissions. We analyze here a conservative scenario where dishonest 
Bob obtains the basis information for free whenever a multi-photon emission occurred. This situation can only make 
dishonest Bob more powerful. Note that this also means that Bob will never attempt to store such emissions, since 
he will never obtain more information about them as he already has. We thus assume that Bob keeps no quantum 
knowledge about the rounds corresponding to multi-photon emissions. We will see below that for the case of a PDC 
source, Bob nevertheless does not obtain full information about a bit in the case of a multi-photon emission. 

For an n-photon emission, the probability that Bob performs a correct decoding is given by (1 — p B '" rr ). If bit j of 
X M was generated by an N = n-photon emission, we thus have 

H 00 (X,-|e i X>JV = n) = -log(l-p* j ^ rr ) . (A31) 
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Since we assume that Bob keeps no quantum information about the multi-photon rounds we may write his state 
corresponding to the rounds in which n > 1 photons have been emitted as 

P X (*0_B(») = (R)P X ^ B {n) > ( A32 ) 

j 

where is a classical register. Using the fact that the min-entropy is additive for a tensor-product state Q, we 

have that Bob's min-entropy about the substring X^ n ' of X M (belonging to N = n photon emissions that Bob does 
not report as missing) is given by 

~4y *~{X<5>\e$K<&N = n) = - log (l - p^ rr ) . (A33) 

Meft 

3. Putting things together 

Let X m be the substring of bits of X M that Bob does not report as missing. In order to determine the overall 
security parameters, we need to determine how much min-entropy dishonest Bob has about 

oo 



x m = u x i:l • ( A34 ) 



n=l 



Since we assume that Bob keeps no quantum information about the multi-photon rounds we may write the state of 
the system if Bob is dishonest as 

oo 

PX">B> ^ (&P X M B W i ( A35 ) 



71 = 1 



where contains a copy of all classical information available to Bob, and where we have reordered the systems 
into parts belonging to different photon number n. The following theorem comes from [10, Theorem 3.3], together 
with the discussion given above. 

Theorem A. 2 (Security against Bob). Fix 6 €]0, ^[ and let 



32(2 + log(4/<5)) 2 



Then for any attack of a dishonest Bob with storage T : B{'Hi n ) — > B(H ou t), there exists a cq-state o~x m B' such that 

1. 0~X m B' ~2e PX m B' , 

2. i H oc (A™|S) CT > -i [log Pf ucc (R ■ M store ) + £~ 2 Mj& log (l - p§^)" , 
where px m B' is given by (j A35|l . 

Proof. Let o- x (i) Ba) be defined as in the analysis of single-photon emissions in [13]. Following the same arguments as 
in flo| and adding another e for the probability that the number of rounds in which Bob observes no click lies outside 
the interval [(pg click -CB,„o click) M > (pt,no ciick + C^no click) M L we § et \\\P X V B W _<7 x (1 2 bW I' 1 - 2e ' Furthermore, 

left left 

let tr x („) s(ll) = p x (™) Bin) for n > 1 and let 



a X m. B , = (&) o-^(n) R(n) . (A37) 

n=l 



Note that by the subadditivity of the trace distance, we have 



^\\px^B' -trx^B'h < 2£ • ( A38 ) 
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It remains to show that ax m B 1 has high min-entropy. Note that 

oo 

iMXHfl), = U^X^llB^ + J2^oo(xl: { >\B^) r7 , (A39) 

where we have used the additivity of the min-entropy for tensor-product states Q , and that conditioning on indepen- 
dent information does not change the min-entropy. Our claim now follows immediately from Sections I A ll and IA 21 □ 

We can again specialize this result to the case of tensor-product channels. 

Corollary A. 3 (Security against Bob). Let Bob's storage be described by T = J\f® vM **°™ with v > 0, M satisfying 
the strong converse property fldlj . and 

Cm ■ v < min R , (A40) 

7.(1) 

where R is defined in (|A26|) . Fix 8 S]0,min r( i) R — Cjsf ■ v\. Then, for any attack of dishonest Bob there exists a 
cq-state o~x m B> such that 

1. 0~ x m B' ~2e PX m B' , 

2. i K^X^BX > i [ Mstmc v ■ y"(R/v) - EZ2 M&l log (l - ^™ rr )" , 

with px n B> and e given by (|A35I) and (|A36[) respectively. 

Our main theorem now follows by allowing Bob to choose {r^ n '} minimizing his total min-entropy. To be able 
to give an exact security guarantee we bound the parameter e which may depend on dishonest Bob's choice of r^ 1 ' 
using (TA"23|) . 

Theorem A. 4 (Weak string erasure). Protocol 1 is an (m, X(8),e(8),p^ CII )-weak string erasure protocol for the 
following two settings: 

1. Let Bob's storage be given by T : B(H m ) — > B(H ou t), and let 8 €]0, h\. Then we obtain a min-entropy rate 



\{8) — min lim — 

{r<")}„ m^oo m 



00 

logP^ (R ■ M store ) - M&l log (l ~ P% 

n=2 



(A41) 
(A42) 



where the minimization is taken over all {r<»}„ such that J2n=i r (n) M^ < M? cpmt and 

CO 

, M store = pl cnt ■ # click M (A43) 



m = 

n=l 



'1 \ 1 - r-W 

* U-^Hn— * (A44) 

' Pb, click 



and error 



1 / Pscnt .HO click Pb .110 click + Cb .no click + Cb 



; 1 ( 1 1 >- >i ■ u 1 >- j_. . ui > i ■ 1 1 1 ■ k j j_> . 1.1 < j < 1 n ".is 'i_> . mi ( in ■ k 'jn.no click/ 1 1 -., 1 

e (5 < 4exp - — - 5— • p scnt - '■ j —i ! ) ) M ) ■ 

\ 512(4 + log i) 2 \^ ^ Psent-Csent JJ / 

(A45) 

2. Suppose J- = 7V"® l ' Mstoro for a storage rate v > 0, J\f satisfying the strong converse property Jldj and having 
capacity Cj^ bounded by 

Cm-v <minR . (A46) 



Let 8 g]0, I — CV • v[. Then we obtain a min-entropy rate of 



X(S) = min — 
{ r W}„ m 



, . ^ (f\ M storc - x: a4; } log (1 - P B '" r 



71=2 



(A47) 



for sufficiently large M . 
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Appendix B: Proof of security: FROT from WSEE 



We show that our augmented protocol implements fully randomized oblivious transfer, as defined in |l0| . The proofs 
of correctness and security for honest Bob are analogous to the ones given in , using the fact that the properties of 
the error-correcting code ensure that Bob obtains Sc except with probability s. Furthermore, note that a dishonest 
Alice cannot gain any information about C from a one-way error-correction scheme. We therefore concentrate on 
proving security for an honest Alice when Bob is dishonest. The proof proceeds as in [Toj . except for a small variation 
which we state below. 

Lemma B.l (Security for Alice). Let I := ((^) f - - 1 - 2 ' fe 8 (p °" ) ) m - |J . Then, Protocol WSEE-to- 

FROT satisfies security for Alice with an error of 



lu — 1 \ Am 



41.2 515^'" + 2e. 

Proof. We know from the analysis in [l(| that 

H^ 45 (n(z) Enc(M/it _ c) |^Ci?oi?i^ t ^ns'",^)^ > ^-t- 1 ' (Bi) 

where B'" is the system of dishonest Bob after the interactive hashing protocol and A is the event that the inter- 
active hashing protocol provides us with a set W\_ c of high min-entropy. A has probability Pr[_4] > 1 — 32<5 2 , 

where 5 = 2-« a2 /( 512 " 2 ). Here, Bob has some additional information given by the syndromes Syn(II(Z)j) of 
the blocks j € Enc(Wo) U Enc(W*). Let us denote the total of this error-correcting information by Syn := 
{Syn(n(Z)j)} 36Enc (^t) UEnc( - H/ t). Notice that even if the encodings overlap in some blocks, only the syndromes of 
the a/4 blocks in Enc(W r *_ c ) lower Bob's min-entropy on H(Z) Enc ^ w t y We can hence bound 



R^ i \n(Z) Enc{wL JS" c CR R 1 W^WlllSynB / '',A)a (B2) 

m 

T 



> R^ 5 (^hn C (wl_ c )\S £ c CR R 1 W t WlUB''' ) A) a - 1.2 • h( Pm .)^ (B3) 



>((— )^-htJpd) n -t-l i (B4) 



Co' 



where the first inequality follows from the chain rule, the monotonicity of the smooth min-entropy [29|, and the fact 
that error-correction information needs to be send for (3 - a/4 = m/4 bits. Using privacy amplification [29}, we then 
have that, conditioned on the event A, 

2 \\^Si-c,ScCRoRiW^WlnSynB"' ~ T {0,1} £ ® a S c CR Q F!^ WgWfnSynB'" II 1 < <5 + 2e + 8(5 , (B5) 



since 



which follows from 



1 ^ Am _ 1.2 ■ h( Pcm .) m _ _ = _A^o_ 

4 4 - & I 512cj2 



I < 



1\ A 1.2 • h(p erT )\ A 2 a 1 



8 8 J " 512cj 2 2 ' 

Let B* := (RoRiW^W^USynB'") be Bob's part in the output state. Since Pr[.A] > 1 - 32<5 2 , we get 

O'S^cScB'C ~32«5 2 +9<5+2e T {0,l} e ®^S C B'C 

and 

&S0S1B* = PSoSiB* ■ 

Since S 2 < 5, this implies the security condition for Alice, with a total error of at most 415 + 2s. □ 



37 



Appendix C: Derivation of parameters 

In this section, we show how to compute the parameters for both experimental setups. 

1. Weak coherent source 

The case of phase-randomized weak coherent pulses is particularly easy to analyze, since here we can assume that 
Bob always gains full knowledge of the encoded bit from a multi-photon emission. That is, p B '" rr = for all n > 1. 
In particular, this yields 

Pb.iio click — Psrc = e M ) (CI) 

and 

PL = e"V (C2) 

The action of Bob's detection device can be described by two positive- operator valued measures (POVM), one for each 
of the two polarization bases /3 used in the BB84 protocol. Each POVM contains four elements: F@ ac , Fq , F-f , and F^. 
The outcome of the first operator, F@ ac , corresponds to no click in the detectors, the following two POVM operators, 
Fq and F^ , give precisely one detection click, and the last one, F^, gives rise to both detectors being triggered. If 
we denote by \n, m) p the state which has n photons in one mode and m photons in the orthogonal polarization mode 
with respect to the polarization basis (3, the elements of the POVM for this basis are given by 

oo 

PL = E \n,m)e(n,m\, (C3) 

n,m— 
oo 



if = £ (1" W \n,m)p(n,m\, 

n,m— 
oo 

F i = E ( l -n m W \n,m) (n,m\, 

n,m— 
oo 

f d = E 0--fr)0--fr)\n,m)p(n,m\, 

n^m—O 

where r\ is the detection efficiency of a detector as introduced in Section IV A 1 1 and fj = (1 — 77). Furthermore, we take 
into account that the detectors show noise in the form of dark counts which are, to a good approximation, independent 
of the incoming signals. As in Section TV A 1| the dark count probability of each detector is denoted by pdark- 
First of all, since Alice does not verify how many photons have actually been emitted we have 

Pint = Pic- (C4) 

To determine the other parameters, we start by computing the probability that an honest Bob does not observe a 
click due to a signal being sent which can be expressed as 

00 n 

Pb,s,„o dick - Tr(FLPk) = e~" V ^-(1 - vT , (C5) 



n=0 



with pk given by (|25|) . Conversely, the probability that Bob does see a click due to a signal being sent is 

PB,S, click = 1 — Pb,S,iio click- (C6) 

To calculate the total probability of Bob observing a click in his detection apparatus, we have to take dark counts 
into account. We now write the probability of Bob observing no-click due to a dark count as 

PB,D,no click = (1 — Pdark) 2 , (C7) 
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and the probability that at least one of his two detectors clicks becomes 

PB : D : click = Pdark(2 — Pdark)- (C8) 

The total probability that honest Bob observes a click is thus 

PB.click = PB,S,clickPB,D,no click + Pb,S,ho clickPB,D,click + PB,S,clickPB,D,click = Pb,S, click + Pb,S,iio clickPB,D,click- (C9) 

Note that 

PB,no click = 1 ~ Pb, click • (CIO) 

To finish our analysis, it remains to evaluate the error probability for honest Bob, which determines how much 
error-correcting information Alice will send him. First of all, an error may occur from the signal itself, for example 
due to misalignment in the channel. We have 

PB,S,crr = e dct ' Ps.S.click ' (CH) 

The second source of errors are dark counts. If the signal has been lost, the probability of making an error due to a 
dark count is given by the probability that Bob experiences a click in the wrong detector, or both his detectors click. 
Hence, we have 

pB.D.err = Pdark(l - Pdark) + PdarkA ( C12 ) 

where the second term stems from letting Bob flip a coin to determine the outcome bit when both of his detectors click. 
We can also have a combination of errors from the signal and the dark counts. Considering all different possibilities 
we obtain 

PB,DS,err = PB,S,click K 1 ~ edet)^y^ + e d ctPdark f | - Pdark^) J • (C13) 

Putting everything together we have 

PB.err = PB,S,errPB,D,no click + PB,S,no c lickPB,D,err + PB : DS,crr- (C14) 



2. Parametric down conversion source 



In this section, we show how to compute all relevant parameters for a PDC source. Recall that at each time slot, 
the source itself emits an entangled state given by (|38|) . The state |$„)ab which appears in (|40]) can be written as 



\*n)AB = Yl \ tL= ° J (a f \0,0) A \m,n-m) B . (C15) 




FIG. 35: a and b denote the input modes to a beam splitter (BS) of transmittance rj, while c and d are the output modes. 



We shall consider that both detectors on Alice's side are equal. In this situation, it is possible to attribute their 
losses to a single-loss beam splitter of transmittance 77 as illustrated in Figure 1351 The creation operators a\ and a\ 
can be expressed as 

at = Vv c \ + V 1 - V d l, 
4 = Vv c l + V 1 - Vdl, 
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for the two orthogonal polarization modes. Tracing out the modes d\ and we obtain that the state shared by Alice 
and Bob, after accounting for Alice's losses, is given by 

n n' min(n— m,n' — m') min(m,m') 

pab = J2\/p^Psrc E EE E 

n,n' m—0m'=0 j—0 £—0 



(n — m)\m\ 



(n - m - j)\j\(m - t)\t\ 



(n'-m')\m'\ (-1)™+™' ^ +n ,_ 2j _ n ^——2 U+e) 



y {ri - m' - j)\j\(m' - V^TTv^TT 
\n — m — j, in — £) (n' — in' — j, m! — £\a ® \m, n — in) (to', n' — to'|b- 

Even though we again have two bases of course, we will only consider one of the two, the other one merely differs 
in a prior transform by Alice and does not change the resulting probabilities. For perfect threshold detectors, the 
probability that Alice sees a click in her first detector (concluding an encoding of '0') is given by 

oo n n—1 

Pi,s,ciick = Tr((Cf ® l B ) PAB ) = J2 "TIT, £ K 1 - V)" 1 (1 - V) n ] (C16) 

n—1 m—0 

where 

oo 

cf = ^\n)(n\ cl ®\o)(o\ C2 . ( C1? ) 

n=l 

The probability that she observes a click in the second detector is similarly determined by p\ s click = Tr((C^(g)I B )pAB) 
with 

oo 

= |0)(0| Cl ®^|n)(n| C2 . (C18) 

n=l 

If Alice sees no click in a given round, or both her detectors click, she simply discards this round all together and it 
no longer contributes to the protocol. We have that p\ s click = p\ s click . 

As discussed previously, we consider that the noise in the form of dark counts shown by the detectors is, to a good 
approximation, independent of the incoming signals. Then, to include this effect, we have to consider the probability 
of observing a click due to a dark count alone. This is given by the probability that we detect no photons 

Pvac = Tr((|0,0)(0,0| Cl , C2 ® 1 b ) P ab), (C19) 

but the detector clicks because of a dark count. We can obtain the probability that Alice observes only one click due 
to a signal or a dark count, by considering operators of the form 

Ct = (l-Pdark)C 1 yl + (l-pdark)Pdark|0,0)(0,0| c i iC 2, 
C£ = (1 -Pdark)C^ + (1 -pdark)Pdark|0,0)(0,0| c i iC2 , 

which gives us 

oo 

PA.click = PA,click = (! - Pdark)PA,S,click + C 1 ~ Pdark)Pdark £ ^"rcC 1 ~ VT ■ (C20) 

n=0 

Combining everything, and tracing out Alice's register we obtain that Bob's unnormalized states are given by 

PB = (! - Pd a rk)p°B lS + (1 - Pdark)Pdark ( 5s C , 
PB = (! - Pdark)/5s S ' S + (1 - Pdark)PdarkPs C , 



with 

oo n n—1 

-o, sig = ^ Yl K 1 - ^ - (! - \m,n-m)(m,n- m\ B , 

n—1 m—0 
oo n n—1 

Pb S1S = EfflE [(l-v) m -(l-v) n ]\n-m,m)(n-m,m\B, 



n—1 m—0 

oo 



~ T = J2 PsrC ^ + 1 V> E Kn-m)(m,re-m| B , 

n— m—0 
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In the following, we use p = p/ Tr(p) to refer to the normalized versions of these states. Note that these normalization 
factors are the same for an encoding of a '0' or a '1' and are given by c = p° A click . 

We can now write the probability that the source emits n photons given that Alice obtained one single click in her 
measurement apparatus as 

Psent ~ ^C(l-Pdark) (pdark(l " VT + — > ] < ( ' - '/>"' ~ ( ' - '/')" ) 1 • K'-l ) 



^E((i->ir-(i-ir) 

m=0 / 



We are now ready to compute the probabilities relevant to the security analysis. First of all, we need to know the 
probability that honest Bob observes a click for the pulses where Alice has obtained one single click, 

PB.click = PB,S,clickPB,D,no click + Pb.S.ho clickPB,D, click + £>B,S,clickPB,D,click- (C22) 

The probability that honest Bob does not observe a click at all, due to the signal is given by 

Pb,S,ho dick = Tr(F vac p^) 

1 

c 



Pdark(l ~ Pdark) £ P £ c (l - ^ + (1 - Pdark) £ ^ £ K 1 ~ ~ t 1 ~ *)"] ( l VY 

n— n— m— 



and 



9 B,S, click — 1 PB.S.no click' (C23) 



where the probabilities pe.D.no click and pb.d, click are defined in the same way as in the previous section. We also need 
to determine the probability of an error for honest Bob. This is calculated analogous to the case of a weak coherent 
source, where we consider the probabilities of an error due to the signal itself, dark counts, and both combined. In our 
setting an honest Bob has two detectors to decide what bit Alice has encoded. If both detectors click, we shall consider 
again that honest Bob flips a coin to determine the outcome. It is enough to analyze the case of a '0' encoding; the 
T' encoding provides the same result. The probability that Bob makes an error due to the signal is given by 



where 



<s, er r=-Tr(F i 50), (C24) 
c 



F - F + -F 



o - (! - edet)-Po + edet-Ff 



and Fg, Ff , and Fg are given by JC3J. Note that 

PB.S, click = PB,S,err + PB,S,no err- (C25) 



Then, using that 

h \ i h Pdark lr>^a\ 

PB,DS,en — PB.S.errPdark^ ~ Pdark J +PB,S,no err <y ' (^Oj 

we can now compute the combined error of Bob as in Eq. (|C14[) . 

In the case of PDC source we also need to compute Bob's success probability of decoding a bit from a multi-photon 
emission, if he is given the basis information for free. First of all, note that since p B and p B are Fock diagonal states, 
without loss of generality we can always assume that dishonest Bob first measures the photon number of each pulse 
sent by Alice, and afterwards he performs his attack. For n > 1, we have 

n n-1 

Ps nMK = -^-£[(l-77) m -(l-'7r]Kn-m)(m 1 n-m| B , 

m=0 
n 1-1 

p)T' m = ■^ r £[(l-» 7 r-(l-»7) n ]|n-m > m)(n-m,m| B> 
n + 1 '-^ 

m=0 

-vac.n n \ i \ / i 

Pb = Psrc — -j— 2^ |m,n-m)(m,n-m|B. 
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The unnormalized states of Bob containing n photons and corresponding to an encoding of a '0' or T' respectively 
can then be written as 

~0,n /-i \ ~0,n,sig . t A \ ~vac,n 

P B = (.1 - PdarkJPs + (1 - Pdark)PdarkP S , 

~l,n /-i \ ~l,n,sie . /-, \ ~vac,n 

P B = (i--Pdark)PB + l 1 _ Pdark JPdarkpB 

The normalization factor for both states is 

Cn := Tr(p^™) = (1 - Pdark) Tr^"' 3 ' 6 ) + (1 - Pdark)Pdark Tr(p™ C ' n ) 



= (1 - P^)ffj J2 K 1 - - ( X - ^ + ( X - Pdark)Pdark^ rc (l - »?)' 

m=0 



Claim C.l. The probability that Bob makes an error in decoding if Alice sent an n-photon signal and he is given the 
basis information for free is given by 

pZrr = \~\ [ ^T^n+l ^ 1(1 " ^ (1 ~ r?) "" m| ) • (C27) 
\ n m=0 / 



Proof. This is an immediate consequence of Helstrom's theorem [42| using the fact that an encoding of '0' and T' are 
a priori equally probable for Bob. Furthermore, note that p B ,n and p B ,n are both Fock diagonal, and hence their trace 
distance is simply given by the classical statistic distance on the r.h.s. of 

\\\pT - p l i n \\i = X 7 dark P l\ E K 1 - - (! - ^)"" m l- ( C28 ) 

m— 

□ 



